The Phorm concept is basically to put a tracking cookie on BT subscribers PC allowing them to know which websites they have surfed and then serve adverts to those users based on their behavior. It’s probably legal because personally identifiable information is not collected and the service can be opted out of. Because BT have a massive subscriber base the idea is that Phorm could then send more targeted and relevant ads to the individuals.

It’s no different for you as a consumer going to a website which tracks your behavior and targets ads based on what you look at. They’re just doing it on a wider scale (everything you look at is recorded not just individual websites) and with more behavioral data than before.
BT have shown very poor form in how they have handled this. Firstly instead of openly and transparently informing and explaining what they are doing, they have conducted trials without their subscribers knowledge. Some sources say this was illegal but if BT have illegally conducted tests to people who hadn’t somehow opted into WebWise or something similar then they would have to be incredibly stupid. Knowing some folks from BT I know this is unlikely to be the case. Secondly they have not defended their position other than with legal statements and they have only one page explaining what the WebWise service is all about. BT focuses on the anti-fraud protection and the ability to switch on and switch off the service.

The ability to opt-in and opt-out probably makes the service legal. I say probably because I am not a lawyer but by giving the users the freedom to turn the service off they are most likely covered, so I am inclined to disagree with the stance of Dr Richard Clayton that BT should be prosecuted. It would most likely be a waste of money and serve no purpose other than to scare an already confused general public. Unless the prosecution would be a landmark case designed to educate big companies about their PR responsibilities!
Hitwise, Comscore and others have been collecting data from ISPs for years. The manner in which they have used the information is different, they aren’t using it to specifically serve ads to people, they use it to show Internet demographical and behavioral patterns but their panel sizes are similar and similar data is aggregated.

As to whether this is a concern or not is a matter for debate. My feeling as a web analytics specialist looking at data every day is that most of the reasons why this might be worrying are overstated. I never know whose behavior I am looking at and am concentrating more on the trends of overall traffic than anything else. You can never go beyond IP address to find out who is being tracked and the IP address might give a general location (like city) but that is about as close as it gets. So from the data in BTs case you might be able to know the behavior of “someone in London” if you really drill down into the data.

Internet privacy concerns worry people because of the lack of clear understanding. You’re well protected already and this case proves it.

BT have the information already. If you’re their customer they can look at your data and know exactly what you had been doing. It’s not an easy process because they would need to first track the dynamic IP addresses you were assigned and then collate all that data over a given time period. So it’s not like your name sits in a database and BT can extract everything you’ve done. A lot of work per person would be required to collate that data. This is how the police can for instance track child molesters online. They ask the ISPs to extract the data and build up a behavioral profile. But doing that falls under the data protection act and can only be retrieved when the law has been broken and an investigation is underway. It is not legal for BT to look at that data any time they wanted too.

Just like it’s not legal to look at credit information without following the Consumer Credit Protection Act.
The reason that services like Phorm are being tested in BT is because of good practice. It shows BT are not exploiting the data they are not allowed to look at. They are trying to follow good practices but rather than explain this openly they made an almost laughable error. I mean it would be funny if it weren’t so serious.

Claims that this could lead to hacking and cyber terrorism are quite frankly scare mongering. About the worst thing that could happen is that a hacker could send an advert to the subscribers. Ok, they could break in and send propaganda about Al qaeda but that’s not what people talking about cyber terrorism are discussing. We’re talking about manipulating cookie text strings that can not execute anything.

I completely understand the concerns raised and BTs’ lack of transparency is in my view appalling and doesn’t help the industry at all. If Google, Microsoft or Yahoo! had done this then the whole world and his dog would be calling for blood.

Steve is a well known analytics specialist, author and speaker. A pioneer since 2002, he established one of the first European web analytics consultancies (Aboavista), later acquired by Satama (now Trainers’ House) in 2006. In 2008 he wrote his first book Cult Of Analytics published on May 14th 2009.
He currently serves as CEO at Quru and has presented and keynoted web analytics topics across Europe. These include The Internet Marketing Conference (Stockholm), The Search Engine strategies (Stockholm), IIH (Copenhagen), the IAB Finland (Helsinki), Media Plaza (Amsterdam), Design For Conversion (Amsterdam) The eMetrics Summit (London, Munich, Stockholm), Divia (Helsinki) in addition to sitting on dozens of panels.

With respect, I think you have missed the main point completely. Let me explain ..
I do not want all my phone calls intercepted and listened to by unknown 3rd parties.
I do not want all my snail mail opened up and examined by unknown 3rd parties.
I do not want my all my browsing habits examined by unknown 3rd parties.
Is that clear enough for you?

This does not just place a cookie to watch where you go it actually pretends to be the website you visit to forge the cookie, then mirrors everything you see on your screen it is lke the postman opening up your letter to read then give you junk mail to fit into keywords in the letter.

The other way to describe what can happen is it is like having a stalking following you everywhere you go knows what you see knows where you have been you have no privacy..

When you say: “My opinion is that BT have made a monumental PR blunder (I mean the kind that can go down in history as how not to do it) but nothing more.”

You miss the fact that what they did is actually against the law!

If we allow what they did tocontinue it IS the same as people opening all your letters to decide on a better class of junk mail for you to be sent. They can see and read ALL your letters when they do that.

It’s a joke to try and make this seem less significant than it is. 18,000 customers, spied on (really) without being asked. That is not right.

There is so much to fault in your blog that it is impossible to do it in a comment; so I will make only these points:

1. Using Deep Packet Inspection technology for the purpose of behavioural advertising in the EU is illegal. There are no if’s or but’s, it is clear legal fact and is based around consent issues. It is impossible to get the consent of all parties as required given that the Internet consists of billions of web sites. There is currently no way Phorm can be legal using DPI and in fact since the EU decided to emphasise informed consent even more in recent regulations, it is unlikely this situation is going to change.

2. There are plenty of methods available for collecting the same data without requiring the use of such intrusive technology. If Phorm are so confident that people want this product they should develop LEGAL client side software (as in -not rootkits- as they did in their previous incarnation as 121Media). That way people would have a clear understanding and a clear choice. Building an entire 21st century network topology based on interception of communications is a ridiculously dangerous path to go down (which is why it is illegal).

3. You may not value your privacy. You may be happy for 3rd party equipment to sit in the network between yourself and the Internet and read every single piece of unencrypted data you access/send over the web, that is fine and you are entitled to that position. Many of the rest of us however value our rights and frankly we find it offensive that a former spyware (or any other) company feel they have the right to steal what the police and law enforcement authorities must obtain a warrant for.

4. Privacy is an inalienable and fundamental Human Right covered in Article’s 7 and 8 of the European Convention on Human Rights 1950, Human Rights Act 1998, Regulation of Investigatory Powers Act 2000, Privacy and Electronic Communications (EC Directive) Regulations 2003, Data Protection Act 1998. Furthermore, the covert trials in 2006/2007 and the planned deployment of the current model are in violation of Fraud Act 2006, Computer Misuse Act 1990, Torts (Interferance with Goods) Act 1977 and Copyright, Designs and Patents Act 1998.

In conclusion, whether you think it is OK or not is wholly irrelevant, it is in violation of both criminal and common law and as such BT should be prosecuted for their covert trials in full and Phorm should be be prosecuted for conspiracy under the same. Also, Phorm’s “services” should be banned in their current form as they are in violation of criminal and common law; and believe me, once we manage to initiate a case in the courts an injunction to prevent Phorm from deploying in the UK will be filed for.

1/. Tracking Cookie: It is NOT a Tracking Cookie, it is a Cookie which acts as a UID which links the user to a profile using ‘Devine Intervention*’ (*that is you accept Phorms explanation of how it works).

The UID will be used each and EVERY time you visit ANY* Website to create a profile of what you have been browsing. (excluding SSL Encrypted Sites)

The Papers for the Trials in 2006 Prove without a doubt that the IP Address was used to track back to the user.

The EU have ruled that an IP Address IS Personally Identifiable Information. Therefore, your conclusion is inept at the very least.

3/. Opt-in part 1: You say “Some sources say this was illegal but if BT have illegally conducted tests to people who hadnâ€™t somehow opted into WebWise or something similar then they would have to be incredibly stupid.”

The 2006 Trial Papers clearly indicate that BT tried to ensure that NO Customer were aware what was happening.

Additionally BT have ALREADY confirmed that they did not offer any Opt-out, nor any other information, to the Trialed Customers.

To summarise this point, you say “… they would have to be incredibly stupid.” I will not comment on your conclusion.

4/. Opt-in part 2: You say “The ability to opt-in and opt-out probably makes the service legal.”

Firstly, this implies two things under DPA:

i) The User is aware fully of the system and makes an informed decision.

ii) Phorm are 100% sure that User is fully aware and can subsequently assume applied consent in the absense of Consent.

Firstly, if every User was given all the information about the system, the user would say no and Opt-out. This has been proven in poll after poll regarding this subject.

Secondly, Phorm cannot consider consent in the absense of consent due to the nature of the browser in question. Why? It is against the Law in Europe to gain consent from a minor, and the likelyhood is that the individual using the PC is a minor. Therefore it would be foolish, to say the least, to assume consent in the absense of consent.

5/. IP: You say “You can never go beyond IP address to find out who is being tracked and the IP address might give a general location (like city) but that is about as close as it gets.”

This is a unique circumstance, whereas the Company is working very closely with the ISP. You cannot, as I cannot, prove or disprove, at this time, that Phorm have access to more information based on the user, from the IP.

@all;
Thank you for the comments which I have tried to answer from my perspective. I understand that feelings run strong and haven’t edited anyones posts. But I would ask that we try to keep this discussion civil if indeed you want to continue it. Thanks.

@Phorm (anonymous)
I read the document (PDF) that Dr Clayton wrote and I understand it fully. I double checked the facts and understand your point but don’t see why that is a bad thing as there is nothing personal about it.

@Gemma
With respect I agree but I don’t think BT have the capacity to do what you suggest by using Phorm. They do not know who “you” are, can’t open your snail mail with phorm or tap your phone calls. As I understand it they are taking “aggregate data” about behavior not examining what individuals do.

@Florence
Again I fully understand your concern. But I don’t really think it is like the postman opening your letters to give you junk mail about what you’re interested in.

It’s more like the local city store stocking stuff that you and your entire city might find useful based on what everyone in the city is doing.

@Anon;
As I understand it it’s simply a case of opting out of webwise. This is not difficult to do according to BT.
(http://webwise.bt.com/webwise/help.php)
If as you suggest the information is still passed to Phorm after opt-out then this is something I have missed and could find no information about. Not in Dr Claytons document, on BT’s site or any other source.

@John
Public based routing is used by ISPs all over the world for a variety of reasons for decades. Phorm is another version of this methodology. Deep packet technology and PBR can be used legally in the EU as long as it follows the regulations set out in the laws that Alexander mentions.

@Alexander;
As I said I am not a lawyer but as I understood it there was no law that said you couldn’t use PBR technology for behavioral advertising purposes IF all the content partners have opted into Phorms service. This according to Dr Clayton is how this service reputedly works. I quote;
“Early speculation about the Phorm system suggested that it added adverts to web pages, or replaced them â€œon the ï¬‚yâ€. This is not what happens, the specially targeted adverts only appear on participating websites.”

However this is the part where I have to hold up my hands and say I am not sure. I am not a lawyer. If this is the case and what has been done by BT is illegal then I retract my statement about disagreeing with Dr Clayton regards prosecution. It then becomes a far more serious matter. However the documentation I have read does not say this anywhere.

@Privacy_Matters:

The EU have not ruled that IP addresses are personal identifiers. It’s been discussed but it is not a ruling. There would be major implications if IP addresses were ruled personally identifiable and this is not the case. Therefore I will disregard the comment about my inept conclusion as simply a strong opinion. The other comments, largely I agree. BT would have to be stupid and if they have broken the law then they should be prosecuted but I think the matter is not as cut and dry as everyone seems to think.

If I wished my internet intercepted, mirrored, keywords gathered then I would still say no to this method. Give me a place on my ISP to fill in my interests, what I might buy, what cars I like etc do not spy on my surfing. I actually help in a public forum and many times search for information to help these members. This is 90% of the time nothing I have interests in I am just helping them find answers why would I want adverts. I actually block all adverts so Phorm has nothing to offer me. Phorm has the ability to mirror https pages and only have the company word they will not… The post office has had times when post hasn’t got through due to temptation and people who couldn’t resist. Putting phorm on the network is putting temptation at ISP level for anyone who has the mind to use this for their own gains.
The patent for phorm does show it can gather IP numbers.
Phorm does break rules intercepting the connection between myself and a website. Website owners will most likely not like the fact it mirrors their site forges cookies and then selects adverts from their site to direct them to other websits that are in the OIX platform.

On no account should an ISP charge a customer, limit downloads then sell the clicks for profit.

@Florence;
Phorm doesn’t have the ability to mirror HTTPS requests. HTTPS is encrypted. Phorm could only mirror the encrypted information which is largely pointless.

SSL is not something that BT or Phorm can affect, https certificates are issued by 3rd parties such as Verisign – that is why it is secure. If you have https requests phorm can’t read them. It’s that simple.
More information here

I get your point about temptation, but as a phorm employee or an employee working for BT based on the current description of the technology from Dr Clayton I can’t see how they would ever be able to identify you as a person. All they will have is a cookie ID that points to a dynamically generated IP address which at best will give them the location of your city.

If it were personal identification I would be as strongly opposed as you but it appears to me that it is not.

A comment was made earlier about the cookie ID being tracked across multiple websites. In my opinion it doesn’t matter as long as the individual behind the IP address can’t be identified. It’s just more huge amounts of data that phorm and BT have to deal with and it’s much more difficult to locate individuals in the aggregation of huge amounts of data.

Your point about website owners resisting the mirroring is valid but according to Dr Clayton they have all opted in (to receive ads) so that BT can serve better adverts on their sites. Only sites which agree to the ads are subject to the Phorm technology. Of course Phorm mirrors everything but why should a site owner care if their site or user experience is not effected? Phorm re-directs appear to the end user in a very similar way to current DART or other advertising technology, fast and pretty seamless for the end user. If for instance CNN had not allowed the Phorm tags to be placed on their site they would not receive any Phorm adverts.

Every argument I’ve heard seems to me to stem from very bad BT practice in their openness and transparency rather than flouting the law. If as Alexander suggests they have broken the law then they should expect the full punishment of the law. However when I see that the regulatory bodies such as the ICO have not seen a need to push it further then I am skeptical that BT or Phorm are doing anything illegal. The ICO have a good record in defending personal information.

“Every argument Iâ€™ve heard seems to me to stem from very bad BT practice in their openness and transparency rather than flouting the law…”

yes you have an interesting POV, you as an industry person know, and can sense a good thing when you see it OC, and again , if no case has come up in the courts to be challenged that too makes it fine, its legal.

stanford too has that same keen sense , you know of him i assume ?, a well respected high ranking Uk Top Executive that couldnt be touched as he had the gift

‘Stanford was the founder of the ISP Demon Internet in 1992 but sold it to Scottish Telecom for Â£66
million in 1998.

It is reported that Stanford made Â£30 million from the acquisition. Shortly afterwards Stanford was a co-founder of the co-location and data centre company Redbus Interhouse…..”

Thank you for the replies Mr. Blackbeak!
Obviously this is a very emotive subject for a lot of people . feelings are running high in many places!
I agree that BT/Phorm cannot open my mail or tap my phone (I hope?!?) .. but I think my analogy is still the right one! It’s still ‘snooping’ of the most intrusive kind .. and once it is implemented, it will, I fear be impossible to remove.
I don’t give a damn about the ad’s being there .. I ignore them anyway for the most part .. that is not, and never has been an issue for me.
Sadly I think it is already too late .. Big Brother is already here, and doing very nicely thank you!

” [b]Hitwise [/b], … and others have been collecting data from ISPs for years.

The manner in which they [b] have used the information is different [/b],
they arenâ€™t using it to specifically serve ads to people, they use it to show Internet demographical and behavioral patterns but their panel sizes are similar and similar data is aggregated.”

ohh yes, “Hitwise” now owned by the No1 Uk Credit Reference Agency (CRA)
[b]Experian [/b]
( the largest of the 3 main ones) used for every single check any company in the world makes on YOUR Credit and related scores.

the very same CRA that all the Banks, BS’s and Broadband companys use, the so called 3B’s that keep the UK’s data flowing and feed YOUR *private* data , (note thats Provate NOT just personal) data into the corporate money making machine….

you might not have know this but “Experian” the CRA also use Deep Packet Interception devices, and hope to also install this same DPI in the ISPs internal UK wide networks (if they havent already..)

so YOU can look forword to having all your most interesting intercepted internet datastreams and their “derivative works” appearing in your Credit Reference file’s sooner than you might think.

You say “itâ€™s probably legal because personally identifiable information is not collected and the service can be opted out of”, but this not-entirely-accurate portrayal addresses the narrow issue of Data Protection Act compliance. It doesn’t even start to address the other laws that the Phorm scheme breaks.

You then suggest that the secret trials in 2006 didn’t break the law because BT are nice chaps really. Unfortunately despite their inherently sunny disposition, they quite clearly broke the law on interception back then, exactly as they will in future trials. Furthermore, because they didn’t seek any permission, then even on your analysis, they infringed the Data Protection Act.

You say it will be a waste of money to prosecute BT. I disagree. We generally expect large companies to obey the law, and generally they do. However, when they so obviously flout multiple laws in search of financial gain, then as a simple matter of public policy it is important to ensure they are taken to court. The punishment is not the relevant issue: it’s the “to encourage the others” aspect that makes it essential to make an example of them.

You’re also mistaken about the way the police tackle child molestors. Furthermore,the DPA has limited relevance and it’s the Regulation of Investigatory Powers Act that applies.

Firstly on the DPA point. If BT have not acted transparently and did not seek permission for the trials or trial with folks who were opted in to Webwise already then they have clearly broken the law and as I already commented should be prosecuted to the full extent of the law. I agree on that and find it incredibly stupid of BT to undertake an operation like this after seeking legal advice as they stated.

I defer to the legal analysis of Nicholas Bohm and retract (though I’ll leave the full original post here for the record) my previous comments. I now agree that a full investigation should be carried out.

If laws have been broken then I agree with you that BT should be prosecuted on your second point for all the reasons you mentioned.

My understanding without any evidence to the contrary (indeed the Home Office/ICO seemed satisfied) was that section 18 of Nicholas Bohms’ document was satisfied. I refer to this section:

“RIPA s3 is relevant to whether that interception can be lawful. RIPA s3(1) makes it lawful if the interception has the consent of both sender and recipient (or if the interceptor has reasonable grounds for believing
that it does).”

My understanding based on your document was that this was satisfied by getting consent from both the consumer and the advertising network.

You state you are not a lawyer so lets leave the legal arguments to the lawyers. The reason I’m writing is that you also seem to be saying that any attempt to hack the Phorm system would be fruitless and any sugestion of such would be scaremongering.

Well have you considered that the Phorm kit makes use of redirects as an integral part of it’s operation? In order to read and manipulate cookies accross domains, the Phorm system redirects users up to three times per request.

Would it not be a rich target for cyber criminals to hack the phorm system so that non-encrypted requests to online banks are quietly diverted to phishing sites? These could then provide a link to the “secure” online banking that would of course have a valid certificate but would not be the right domain. Rich pickings for cyber criminals.

I have spent nearly 7 months researching Phorm, from before launch was announced, liaised with many people regarding the technology and I find it worrying you are making these statements when to all the technologists I’ve met agree that the system is intrusive and open to abuse in several ways.

Please stop telling us that IP addresses are not personally identifiable. If they were truly anonymous then the RIAA, MCPS and other interested parties would not be able to track down individual file sharers from their IP address and prosecute them. It is obvious that ISP’s can track who you are from a dynamically allocated IP address as you cannot log in anonymously but are identified by either your login credentials or the telephone number of the broadband line through which you connect. The only thing preventing Phorm from accessing this information is ?trustworthy? ISP’s like BT.

Chris: The problem is when the ISP (in the case BT) does not respect your privacy. When an ISP gives your PII (personally identifiable information) to a 3rd party which is what it does with Phorm then I am with you all the way.

The problem there is (and it’s huge) is that Phorm and BT did not comply with privacy law in my opinion and BT specifically allowed Phorm to assign a cookie to personally identifiable information. This in essence is why the EU is taking them to court.

If however I am tracking you via website code and see your IP it means nothing. Even if I found out which company, network or ISP your IP is assigned to it still means nothing. It is unidentifiable. I don’t know who “you” are. I only know what your IP address has done on the website I’m tracking. It’s impossible for me to identify you as a person unless you give me permission.

Now this in my view is where people get confused about what is tracking marketing activity and what is or should be illegal.

Ethical web marketers aren’t interested in what you as an individual do, they’re interested in what behavior everyone who visits their site exhibits. The only time “you” become interesting is when “you” through your own actions give us permission to market to you specifically.

The big difference is that Phorm have assigned an ID to IP addresses that BT has given Phorm permission to become identifiable WITHOUT your permission. In my view this is illegal, wrong and prosecutable.